f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4

General

Target

f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe
Size

208KB
MD5

d8e0bd15e2bbcb5aadb7ae81f682d7df
SHA1

098a9b774d90a0572cbf26985ff8a5e5ebd7dd2c
SHA256

f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4
SHA512

6ce8c8699c1afd4b59cafb11e92ba02971a490859c4308c835f17bc8253d52de2e385357580e4c05958f84628b559277e899dc87e42626bf0a62c157c5ad653d
SSDEEP

3072:WDPrP0+IfBxULK6ur4AKKV6AopNgyci0phK0jnboVDcu38Xi+1ffsvaspDZc:gz0+uAKz4AKKSYg0jU9cOI3hA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1280	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
872	f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe
872	f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\software\microsoft\windows\currentversion\run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\run	svchost.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\bb8dc09e = "\x11¸«\x18ûõÑ4ÕL>ÖEËkÂ³\u00a0:+ñÜdÇº\tã9Ç»úOúŠ¯g2\a:Sz÷ûÛ×ËÒ£jßŠ§Û%\x03\x17ßÚã\x1f\a·ÏÃ…\vÂ\x12/Ý“\x1aï“‹\u008f\x17Û\x1be\x12\"wýzíÍÿÇW\x02“ÿ¯SO7’Ï¢ÇJ\x13—\x7f'_Çã\nŸÿ\x7fÚU•\x1b²jsGßâÛw%Ÿ/¿WU»/ÓsWÏbÊ/ÛÊ/²2¯â\x7fZºÏ'mWwûuß?G²“ƒ\a÷ÅW_\u008f\u008fïêZúú’/¿—ý\x7f§\x1fÏSê¿š×Ò\x1fRjú3÷û‡\x02bÒÚ¯r•ŸÒ\x1a\a\nš§\"›Â\u008fW*\x12÷}W7jú\u008fÚ·\u009dKo?guú\x1f/Ÿ×5Â\u00ad\x7f¯õ2'Ç\x1f‡Wòb»ªê"	f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyvep.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygygin.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyvyz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykyc.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purypol.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\svchost.exe	f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe
File created	C:\Windows\apppatch\svchost.exe	f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1280	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
872	f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	872	f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe
Token: SeSecurityPrivilege	872	f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe
Token: SeSecurityPrivilege	1280	svchost.exe
Token: SeSecurityPrivilege	1280	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1280	872	f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe	27
PID 872 wrote to memory of 1280	872	f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe	27
PID 872 wrote to memory of 1280	872	f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe	27
PID 872 wrote to memory of 1280	872	f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe	27

C:\Users\Admin\AppData\Local\Temp\f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe
"C:\Users\Admin\AppData\Local\Temp\f28c56dfae77c517dd1bcfab9cfa6489834553d7c3f9f022b29b3f02800862c4.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AppPatch\svchost.exe

Filesize
208KB

MD5
11e65feca8bfdd4f08a269f3af10b81c

SHA1
642d71017b1bb0a4aa7d0b0c0b0e755d1cdb525f

SHA256
66cd22d99c82bbfb158859857173b275b1468985c4e9b73a78bded83403b485a

SHA512
01f081bf53a9f6d37e8d335441e25ad357395ee0fedb7c4139b24aba4334df7550ef2d5387b04b071ff3e6caa12582026422b7fede3043833f21d9469c708013

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
208KB

MD5
11e65feca8bfdd4f08a269f3af10b81c

SHA1
642d71017b1bb0a4aa7d0b0c0b0e755d1cdb525f

SHA256
66cd22d99c82bbfb158859857173b275b1468985c4e9b73a78bded83403b485a

SHA512
01f081bf53a9f6d37e8d335441e25ad357395ee0fedb7c4139b24aba4334df7550ef2d5387b04b071ff3e6caa12582026422b7fede3043833f21d9469c708013

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
208KB

MD5
11e65feca8bfdd4f08a269f3af10b81c

SHA1
642d71017b1bb0a4aa7d0b0c0b0e755d1cdb525f

SHA256
66cd22d99c82bbfb158859857173b275b1468985c4e9b73a78bded83403b485a

SHA512
01f081bf53a9f6d37e8d335441e25ad357395ee0fedb7c4139b24aba4334df7550ef2d5387b04b071ff3e6caa12582026422b7fede3043833f21d9469c708013

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
208KB

MD5
11e65feca8bfdd4f08a269f3af10b81c

SHA1
642d71017b1bb0a4aa7d0b0c0b0e755d1cdb525f

SHA256
66cd22d99c82bbfb158859857173b275b1468985c4e9b73a78bded83403b485a

SHA512
01f081bf53a9f6d37e8d335441e25ad357395ee0fedb7c4139b24aba4334df7550ef2d5387b04b071ff3e6caa12582026422b7fede3043833f21d9469c708013

Download Submit
memory/872-62-0x00000000002F0000-0x0000000000342000-memory.dmp

Filesize
328KB

Download
memory/872-54-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/872-56-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/872-55-0x00000000002F0000-0x0000000000342000-memory.dmp

Filesize
328KB

Download
memory/872-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/872-64-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1280-68-0x0000000002250000-0x00000000022FA000-memory.dmp

Filesize
680KB

Download
memory/1280-66-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1280-67-0x0000000002250000-0x00000000022FA000-memory.dmp

Filesize
680KB

Download
memory/1280-63-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1280-69-0x0000000002250000-0x00000000022FA000-memory.dmp

Filesize
680KB

Download
memory/1280-71-0x0000000002250000-0x00000000022FA000-memory.dmp

Filesize
680KB

Download
memory/1280-72-0x0000000002250000-0x00000000022FA000-memory.dmp

Filesize
680KB

Download
memory/1280-74-0x0000000002250000-0x00000000022FA000-memory.dmp

Filesize
680KB

Download
memory/1280-76-0x0000000002400000-0x00000000024B7000-memory.dmp

Filesize
732KB

Download
memory/1280-77-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1280-78-0x0000000002400000-0x00000000024B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads